From 85485ea28c25492b4b847074a198e608e4a29b5d Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 17 Sep 2024 18:03:46 +0200
Subject: OpenVPN: heuristic: add a simple check to avoid false positives
 (#2560)

We should have too big packets during the initial handshake
---
 src/lib/protocols/openvpn.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c
index 1c63f5ecd..bf34bf3a9 100644
--- a/src/lib/protocols/openvpn.c
+++ b/src/lib/protocols/openvpn.c
@@ -417,6 +417,10 @@ static int search_heur_opcode(struct ndpi_detection_module_struct* ndpi_struct,
                       iter, offset, pdu_len);
       if(pdu_len < 14)
         return 1; /* Exclude */
+      if(pdu_len > 4 * 1500) { /* 4 full size packets: simple threshold to avoid false positives */
+        NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: pdu_len %d too big. Exclude\n", pdu_len);
+        return 1; /* Exclude */
+      }
       rc = search_heur_opcode_common(ndpi_struct, flow, *(ovpn_payload + offset + 2));
       NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: TCP, rc %d\n", rc);
       if(rc > 0) /* Exclude || Found --> stop */
-- 
cgit v1.2.3